This is the accessible text file for GAO report number GAO-04-823 entitled 'Federal Chief Information Officers: Responsibilities, Reporting Relationships, Tenure, and Challenges' which was released on July 21, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: July 2004: FEDERAL CHIEF INFORMATION OFFICERS: Responsibilities, Reporting Relationships, Tenure, and Challenges: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-823]: GAO Highlights: Highlights of GAO-04-823, a report to congressional committees Why GAO Did This Study: Although the federal government has invested substantially in information technology (IT), its success in managing information resources has varied. Agencies have taken steps to implement modern strategies, systems, and management policies and practices, but they still face significant information and technology management challenges. Recognizing the key role of the chief information officer (CIO) in helping an agency to achieve better results through IT, congressional requesters asked GAO to study the current status of CIOs at major departments and agencies. Among the topics this report describes are (1) CIOs’ responsibilities and reporting relationships, and (2) current CIOs’ professional backgrounds and the tenures of all of the CIOs since enactment of the Clinger-Cohen Act. What GAO Found: GAO administered a questionnaire and interviewed CIOs at 27 major departments and agencies, finding that respondents were responsible for most of the 13 areas we identified as either required by statute or critical to effective information and technology management (see figure below). All of the CIOs had responsibility for five areas, including enterprise architecture and IT investment management. However, two of these areas—information disclosure and statistics—were outside the purview of more than half of the officers. Although the CIOs generally did not think placing responsibility for some areas in separate units presented a problem, having these responsibilities performed by multiple officials could make the integration of various information and tech bcnology management areas, as envisioned by law, more difficult to achieve. Given these results, it may be time to revisit whether the current statutory framework of responsibilities reflects the most effective assignment of information and technology management responsibilities. The law also generally requires that CIOs report directly to their agency heads, and 19 of the 27 said that they did. However, views were mixed among current and former officers on whether such a direct reporting relationship was important. Agency CIOs come from a wide variety of professional and educational backgrounds, but they almost always have IT or IT-related work or educational experience. Since enactment of the Clinger-Cohen Act, the median tenure of a federal CIO has been about 2 years; in contrast, both current CIOs and former agency IT executives most commonly cited 3 to 5 years as the time they needed to become effective. According to some current CIOs, high turnover is a problem because it can limit CIOs’ ability to put their agendas in place. Various mechanisms, such as human capital flexibilities, are available for agencies to use to help them try to reduce CIO turnover or mitigate its effect. Number of CIOs with Responsibility for Information and Technology Management Areas: [See PDF for image] [End of figure] What GAO Recommends: As Congress holds hearings on and introduces legislation related to information and technology management, GAO suggests that Congress consider the results of this review and whether the existing statutory requirements related to CIO responsibilities and reporting to the agency head reflect the most effective assignment of information and technology management responsibilities and reporting relationships. In responding to a draft of this report, most agencies stated that they had no comment. www.gao.gov/cgi-bin/getrpt?GAO-04-823. To view the full product, including the scope and methodology, click on the link above. For more information, contact David A. Powner, 202-512-9286 or pownerd@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Scope and Methodology: CIOs Responsible for Most Areas and Generally Reported to Agency Heads: CIOs Have Diverse Backgrounds and Generally Remained in Office about 2 Years: Major Challenges Facing Agency CIOs: Conclusions: Matter for Congressional Consideration: Agency Comments and Our Evaluation: Appendixes: Appendix I: Chief Information Officers (CIO) Interviewed: Appendix II: Former Agency Senior Information Technology (IT) Executive Panels: Appendix III: Summary of CIOs' Information Management and Technology Responsibilities at Major Departments and Agencies: Appendix IV: CIO Tenure at Each Department and Agency: Appendix V: Comments from the Department of Agriculture: Appendix VI: Comments from the Department of Defense (including the Departments of the Air Force, Army, and Navy): GAO Comments: Appendix VII: Comments from the Department of the Interior: GAO Comments: Appendix VIII: Comments from the Office of Personnel Management: GAO Comments: Appendix IX: Comments from the Department of the Treasury: Appendix X: Comments from the U.S. Agency for International Development: Appendix XI: GAO Contact and Staff Acknowledgments: GAO Contact: Staff Acknowledgments: Tables: Table 1: Former Agency Senior IT Executive Panels: Table 2: Statistical Analysis of CIO Tenure: Figures: Figure 1: Number of CIOs Reporting That They Were Responsible for Each Information and Technology Management Area: Figure 2: Major Challenges Facing Agency CIOs: Figure 3: Time Line of CIO Tenure at Each Department and Agency: Abbreviations: CIO: chief information officer: EA: enterprise architecture: e-gov: electronic government: FOIA: Freedom of Information Act: IRM: information resources management: IT: information technology: OMB: Office of Management and Budget: PRA: Paperwork Reduction Act: Letter July 21, 2004: The Honorable Susan M. Collins: Chairman, Committee on Governmental Affairs: United States Senate: The Honorable Tom Davis: Chairman, Committee on Government Reform: House of Representatives: The Honorable Adam H. Putnam: Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census: Committee on Government Reform: House of Representatives: Our work and that of others has shown that the federal government has had long-standing information and technology management problems. Various laws have been enacted to improve the government's performance in this area. For example, the Clinger-Cohen Act of 1996 requires agency heads to designate Chief Information Officers (CIO) to lead reforms to help control system development risks, better manage technology spending, and achieve real, measurable improvements in agency performance through better management of information resources. We have long been proponents of having strong agency CIOs and a central federal government CIO in order to address the government's many information and technology management challenges.[Footnote 1] Eight years after the passage of the Clinger-Cohen Act, our work[Footnote 2] illustrates that despite the government's expenditure of billions of dollars annually on information technology (IT), its management of these resources has produced mixed results. Although agencies have taken constructive steps to implement modern strategies, systems, and management policies and practices, our most recent high-risk and performance and accountability series identified continuing high-risk modernization efforts and governmentwide information and technology management challenges. As we have previously reported, an effective CIO can make a significant difference in building the institutional capacity needed to implement improvements to an agency's information and technology management capabilities which, among other things, should result in technology solutions that improve program performance. Recognizing the continued importance of the CIO position to achieving better results through information and technology management, you have asked us to perform two reviews in this area. First, this report will discuss the current status of federal CIOs at major departments and agencies. Second, we are beginning work on the development of a set of CIO best practices, based on the practices of leading organizations in the private sector. Along with our earlier work addressing the high- level organization and support of the CIO position in the private sector,[Footnote 3] these reports are expected to provide the Congress and others with an understanding of the current status of the role, responsibilities, and reporting relationships of agency CIOs and to describe opportunities to improve their status. In this report, our objectives are to describe (1) the responsibilities of agency CIOs and their reporting relationships, (2) the current CIOs' professional backgrounds and the tenures of all of the CIOs in office since enactment of the Clinger-Cohen Act, and (3) what the CIOs viewed as their major challenges. To address these objectives, we administered a questionnaire--covering 13 information and technology management areas, specifically IT/IRM strategic planning, IT capital planning and investment management, information security, IT/IRM human capital, information collection/paperwork reduction, information dissemination, records management, privacy, statistical policy and coordination, information disclosure, enterprise architecture, systems acquisition, development and integration, and e-government initiatives[Footnote 4]- -to the CIOs of the 27 major federal departments and agencies (23 entities identified in 31 U.S.C. 901,[Footnote 5] the Department of Homeland Security, and the 3 military services).[Footnote 6] In addition, we conducted interviews with each of these CIOs to corroborate information we had already received in the questionnaire and to obtain more specific information. We conducted our work at the 27 agencies during November 2003 through May 2004 in accordance with generally accepted government auditing standards. Results in Brief: Generally, CIOs were responsible for most of the 13 areas we identified as either required by statute or critical to effective information and technology management, and about 70 percent of them reported directly to the agency heads. All of the CIOs were assigned responsibility for five information and technology management areas--such as enterprise architecture and IT investment management--although they sometimes reported that they shared responsibility for these areas with other organizational units. In contrast, two of the information and technology management areas--information disclosure and statistics-- were the responsibility of fewer than half of the CIOs. While this alternative assignment of responsibility is not consistent with the statutes, the CIOs generally believed--in large part because other organizational units were assigned these duties--that not being responsible for certain information and technology management areas did not present a problem. Nevertheless, having these responsibilities performed by multiple officials could make the integration of various information and technology management areas, as envisioned by law, more difficult to achieve. Regarding the statutory requirements that certain CIOs have the management of information resources as their primary duty[Footnote 7] and that CIOs report directly to the agency head,[Footnote 8] only a few said that they had other major duties and 19 said they reported directly to their agency heads. Views were mixed among current CIOs and former agency IT executives on whether a direct reporting relationship was crucial to the success of the CIO. Current CIOs come from a wide variety of professional and educational backgrounds, and--since the enactment of the Clinger-Cohen Act--the permanent CIOs who had completed their time in office had a median tenure of about 2 years. Regarding their backgrounds, the current CIOs had worked in various sectors, almost always had IT or IT-related work or educational experience, and generally had business knowledge related to their agencies. Such variety is not unexpected, because a CIO should be selected based on the specific needs of an agency and the type of role he or she is expected to play. Agency CIOs' average time in office, however, was less than the 3 to 5 years that was most commonly cited by both current CIOs and former agency IT executives as the time needed for a CIO to be effective. In particular, in the 8 years since the enactment of the Clinger-Cohen Act, only about 35 percent of the permanent CIOs who had completed their time in office reportedly stayed in office for a minimum of 3 years. A high turnover rate is a problem, according to some current CIOs, because it can negatively impact their effectiveness. For example, they may not have time to put their agenda in place or form close working relationships with agency leadership. Various mechanisms, such as human capital flexibilities, are available to agencies to help them try to reduce CIO turnover or mitigate its effect. Current CIOs reported that they faced several major challenges, particularly in implementing effective IT management, obtaining sufficient and relevant resources, communicating and collaborating internally and externally, and managing change. These challenges are not new--we have previously reported on some of them. Nevertheless, the extent to which CIOs effectively tackle such challenges can contribute to their ability to achieve success. To support their efforts, we have issued guidance related to many of the reported challenges. We are suggesting that, as it holds hearings on and introduces legislation related to information and technology management, Congress consider whether the existing statutory requirements related to CIO responsibilities and reporting to the agency head reflect the most effective assignment of information and technology management responsibilities and reporting relationship. The results of this review--in conjunction with our ongoing work on best practices for CIOs' roles and responsibilities that are based on leading organizations in the private sector--may provide insights to contribute to that process. Based on their reviews of a draft of this report, OMB and all of the 27 agencies that were included in our review sent us responses. Most of the agencies stated that they had no comment. Of those that provided specific comments, OMB noted that they were unclear on the correlation between, or conclusions drawn about, who holds responsibility for the 13 areas we reviewed, and they questioned the need to include 3 responsibilities not required by statute to be the responsibility of the CIO. First, we did not attempt to draw conclusions regarding the relationship between the assignment of specific responsibilities and an agency's success in achieving desired outcomes in those areas. Second, the importance of the 3 areas questioned by OMB is borne out by the fact that over 90 percent of the CIOs have been assigned responsibility for them. The Departments of Defense and the Interior disagreed with the part of our Matter for Congressional Consideration that suggested that the Congress consider the results of this review that are related to CIO reporting relationships when holding hearings and introducing legislation on information and technology management. Although having CIOs report to agency heads can help provide strong support for CIOs in executing their responsibilities, the participants in our review offered a number of alternative reporting arrangements that could also provide CIOs with such support and that also warrant consideration. Accordingly, we continue to believe that, as the Congress holds hearings or considers legislation related to CIOs' responsibilities or reporting, it consider the results of our review in its deliberations. Finally, the Office of Personnel Management provided examples of actions the agency has taken to encourage the use of human capital management flexibilities, but it was outside the scope of this work to review these actions. We address these comments more fully in the Agency Comments and Our Evaluation section of this report. Background: Despite a substantial investment in IT, the federal government's management of information resources has produced mixed results. Although agencies have taken constructive steps to implement modern strategies, systems, and management policies and practices, our work continues to find that agencies face significant challenges. These challenges can be addressed with strong and committed leadership by the agency CIOs--a position that was established by the Congress to serve as the focal point for information and technology management issues within an agency. Major Information and Technology Management Challenges Facing Agency CIOs: Our most recent high-risk and performance and accountability series identified continuing high-risk system modernization efforts and governmentwide information and technology management challenges,[Footnote 9] namely, * pursuing opportunities for e-government; * improving the collection, use, and dissemination of government information; * strengthening information security; * constructing and enforcing sound enterprise architectures; * employing IT system and service management practices; and: * using effective agency IT investment management practices. Unless and until these challenges are overcome, federal agencies are unlikely to optimize their use of information and technology, which can affect an organization's ability to effectively and efficiently implement its programs and missions. Agency CIOs are key leaders in addressing these challenges. To allow them to serve effectively in this role, federal agencies must utilize the full potential of CIOs as information and technology management leaders and active participants in the development of the agency's strategic plans and policies. The CIOs, in turn, must meet the challenges of building credible organizations and developing and organizing information and technology management capabilities to meet mission needs. Legislative Evolution of Agency CIO Roles and Responsibilities: For more than 20 years, federal law has structured the management of information technology and information-related activities under the umbrella of information resources management (IRM).[Footnote 10] Originating in the 1977 recommendations of the Commission on Federal Paperwork, the IRM approach was first enacted into law in the Paperwork Reduction Act of 1980 (PRA).[Footnote 11] The 1980 Act focused primarily on centralizing governmentwide responsibilities in the Office of Management and Budget (OMB). The law gave OMB specific policy- setting and oversight duties regarding individual IRM areas--for example: records management, privacy, and the acquisition and use of automatic data processing and telecommunications equipment (which was later renamed information technology). The law also gave agencies a more general responsibility to carry out their IRM activities in an efficient, effective, and economical manner and to comply with OMB policies and guidelines. To assist in this effort, the law required that each agency head designate a senior official who would report directly to the agency head to carry out the responsibilities of the agency under the law. Together these requirements were intended to provide for a coordinated approach to managing federal agencies' information resources. The requirements addressed the entire information life cycle, from collection through disposition, in order to reduce information collection burdens on the public and to improve the efficiency and effectiveness of government. Amendments to the PRA in 1986 and in 1995 were designed to strengthen agency and OMB implementation of the law. Most particularly, the PRA of 1995 provided detailed agency requirements for each IRM area, to match the specific OMB provisions. The 1995 Act also required agencies to develop, for the first time, processes to select, control, and evaluate the results of major information systems initiatives. In 1996, the Clinger-Cohen Act supplemented the information technology management provisions of the PRA with detailed CIO requirements for IT capital planning and investment control and performance and results- based management.[Footnote 12] The 1996 Act also established the position of agency CIO by amending the PRA to rename the senior IRM officials CIOs and specifying additional responsibilities for them. Among these responsibilities, the act required that the CIOs in the 24 major departments and agencies specified in 31 U.S.C. 901 have IRM as their "primary duty." Accordingly, under current law,[Footnote 13] agency CIOs are required to carry out the responsibilities of their agencies with respect to information resources management, including: * information collection and the control of paperwork; * information dissemination; * statistical policy and coordination; * records management; * privacy, including compliance with the Privacy Act; * information security, including compliance with the Federal Information Security Management Act; * information disclosure, including compliance with the Freedom of Information Act; and: * information technology. Together, these legislated roles and responsibilities embody the policy that CIOs should play a key leadership role in ensuring that agencies manage their information functions in a coordinated and integrated fashion in order to improve the efficiency and effectiveness of government programs and operations. Scope and Methodology: To address the objectives of this review, we first identified and reviewed major information and technology management legislative requirements. Specifically, we reviewed: * the Paperwork Reduction Act of 1995, * the Clinger-Cohen Act of 1996, * the E-Government Act of 2002, * the Federal Information Security Management Act of 2002, * the Federal Records Act, * the Freedom of Information Act, and: * the Privacy Act of 1974. We identified the following 13 major areas of CIO responsibilities as either statutory requirements or critical to effective information and technology management.[Footnote 14] * IT/IRM strategic planning. CIOs are responsible for strategic planning for all information and information technology management functions--thus, the term IRM strategic planning [44 U.S.C. 3506(b)(2)]. * IT capital planning and investment management. CIOs are responsible for IT capital planning and investment management [44 U.S.C. 3506(h) and 40 U.S.C. 11312 & 11313]. * Information security. CIOs are responsible for ensuring compliance with the requirement to protect information and systems [44 U.S.C. 3506(g) and 3544(a)(3)]. * IT/IRM workforce planning. CIOs have responsibilities for helping the agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 3506(b) and 40 U.S.C. 11315(c)]. * Information collection/paperwork reduction. CIOs are responsible for the review of agency information collection proposals to maximize the utility and minimize public "paperwork" burdens [44 U.S.C. 3506(c)]. * Information dissemination. CIOs are responsible for ensuring that the agency's information dissemination activities meet policy goals such as timely and equitable public access to information [44 U.S.C. 3506(d)]. * Records management. CIOs are responsible for ensuring that the agency implements and enforces records management policies and procedures under the Federal Records Act [44 U.S.C. 3506(f)]. * Privacy. CIOs are responsible for compliance with the Privacy Act and related laws [44 U.S.C. 3506(g)]. * Statistical policy and coordination. CIOs are responsible for the agency's statistical policy and coordination functions, including ensuring the relevance, accuracy, and timeliness of information collected or created for statistical purposes [44 U.S.C. 3506(e)]. * Information disclosure. CIOs are responsible for information access under the Freedom of Information Act [44 U.S.C. 3506(g)]. * Enterprise architecture. Federal laws and guidance direct agencies to develop and maintain enterprise architectures as blueprints to define the agency mission, and the information and IT needed to perform that mission. * Systems acquisition, development, and integration. We have found that a critical element of successful IT management is effective control of systems acquisition, development and integration [44 U.S.C. 3506(h)(5) and 40 U.S.C. 11312]. * E-government initiatives. Various laws and guidance direct agencies to undertake initiatives to use IT to improve government services to the public and internal operations [44 U.S.C. 3506(h)(3) and the E- Government Act of 2002]. We then developed and administered a questionnaire to the CIOs of the 27 major departments and agencies requesting information on whether these officials were responsible for each of these areas, their reporting relationships, their professional and educational backgrounds, and their challenges.[Footnote 15] We also asked each agency to supply the name, beginning and ending dates in office, and circumstances (e.g., whether they were in an acting or permanent position) of each of the individuals who had served as CIO at the agency since the enactment of the Clinger-Cohen Act. We subsequently interviewed each of the CIOs who were in place at the time of our review (see app. I for the list of the CIOs) in order to corroborate their responses and obtain more detailed explanations of these responses. In addition, as applicable, we collected and reviewed the resumes or biographies of the current CIOs. In analyzing CIOs comments on their challenges, two GAO analysts reviewed the responses and arrived at agreement for the broad categories. Each comment was then placed into one or more of the resulting categories, and agreement regarding each placement was reached between the two analysts. We also conducted two panel discussions with former agency IT executives (six in each panel), including former CIOs, that addressed their experiences and challenges. Appendix II lists these panelists. Finally, we discussed our findings with representatives of OMB's Office of Information and Regulatory Affairs and the members of our Executive Council of Information Management and Technology--a preexisting panel of outside industry, state government, and academic experts--to obtain their views. We conducted our work at the 27 agencies during November 2003 through May 2004 in greater Washington, D.C. in accordance with generally accepted government auditing standards. CIOs Responsible for Most Areas and Generally Reported to Agency Heads: CIOs generally were responsible for most of the 13 key areas we had identified as either required by statute or among those critical to effective information and technology management, and most reported directly to their agency heads. All 27 CIOs had responsibility for 5 of the 13 areas, such as information security and IT capital planning. Of the other eight areas, two of them--information disclosure and statistics--were the responsibility of fewer than half of the CIOs. This assignment of responsibilities is not consistent with the law. However, in those cases where the CIOs were not assigned the expected responsibilities and expressed an opinion about this situation,[Footnote 16] more than half of the CIOs' responses were that the applicable information and technology management areas are appropriately held by some other organizational entity. Moreover, virtually all of the responses indicated that the CIOs were comfortable with their roles. Nevertheless, having these responsibilities performed by multiple officials could make the integration of various information and technology management areas, as envisioned by the law, more difficult to achieve. In addition to requiring that federal agency CIOs have many specific responsibilities, federal law also generally requires that these CIOs report directly to their agency heads. This requirement establishes an identifiable line of accountability and recognizes the importance of CIOs' being full participants in the executive team in order to successfully carry out their responsibilities. Nineteen of the CIOs we interviewed have a direct reporting relationship to their agency head as required by the statute. The other eight have various reporting relationships, often through their agencies' senior administrative or management executives. While reporting to the agency heads may be a means to ensure that the CIO has sufficient stature to "have a seat at the table," only about a third of those who did not report to their agency heads expressed a concern with their reporting relationships. Given these results, it is clear that questions arise about whether the current statutory framework of roles and responsibilities reflects the most effective assignment of information and technology management responsibilities. Our work developing a set of best practices for CIOs' roles and responsibilities, based on leading organizations in the private sector, may shed additional light on this issue. Agency CIOs Generally Responsible for Most Areas: The Congress has assigned a number of responsibilities to the CIOs of federal agencies. In addition, we have identified other areas of information and technology management that can contribute significantly to the successful implementation of information systems and processes. Figure 1 lists the 13 areas of responsibility and the number of CIOs who are assigned responsibility for each (app. III contains additional information on each of these areas). Five of the 13 areas of responsibility were assigned to every agency CIO. These areas are capital planning and investment management, enterprise architecture, information security, IT/IRM strategic planning, and IT workforce planning. Two of these areas--enterprise architecture and capital planning--were mentioned by several CIOs as the mechanisms they use for integrating responsibilities across some of the other areas, because, for example they can provide a checkpoint where the CIO has the opportunity to review proposals and investments before they are funded. The governance processes used in implementing enterprise architecture and capital planning can also provide the opportunity to ascertain that other responsibilities are being executed as required. For example, these processes can require that plans for new systems meet security or records management standards before they are allowed to progress to the next stage of development or funding. Figure 1: Number of CIOs Reporting That They Were Responsible for Each Information and Technology Management Area: [See PDF for image] [End of figure] The next six areas of responsibility shown on the chart--systems acquisition, major electronic government (e-gov) initiatives, information collection/paperwork reduction, records management, information dissemination, and privacy--were assigned to CIOs at between 17 and 25 agencies. Although these responsibilities were formally assigned to the CIO, it was not uncommon for CIOs to report that multiple units contributed to carrying out the activities associated with these responsibilities. For example, * in the management of e-gov initiatives, several CIOs said that they managed the overall effort and share responsibility with the functional unit; * in systems acquisition, several agencies reported that responsibility is shared among the CIO and other officials, such as a procurement executive or program executive. In addition, many CIOs mentioned that they provided metrics and measures of ongoing work, while the procurement or program executive managed the contractor relationship; * for records management, several CIOs described execution of responsibilities as a cooperative effort with administrative or program employees to collect, aggregate, and store the volumes of records; * responsibility for information dissemination at a few agencies was described as being coordinated with the public affairs office, as this unit performs quality reviews and the CIO provides technical support; and: * responsibility for privacy at a few agencies was described as being coordinated with the general counsel, as these officials provide high level guidance and the CIO implements it. Finally, information disclosure/Freedom of Information Act and statistical policy, both statutory responsibilities of the CIO, are the areas least often assigned to the CIO. In these areas, fewer than 10 of the CIOs hold responsibility as specified by the PRA. Disclosure is a responsibility that has frequently been assigned to offices such as general counsel and public affairs in the agencies we reviewed, while statistical policy is often the responsibility of separate offices that are responsible for agency data analysis, particularly in agencies that contain Principal Statistical Agencies.[Footnote 17] Even for those areas of responsibility that were not assigned to them, several CIOs reported that they contributed to the successful execution of agency responsibility. For example, a few mentioned that they provide technical support for the responsible units, such as assisting with Web services for information dissemination or maintaining electronic archives for electronic records management. In addition, five CIOs mentioned that they supported the unit responsible for records management by providing, for example, specific support for the design of systems compatible with electronic records management or by serving in an oversight or coordination role. Most CIOs told us they were comfortable with the existing assignment of responsibilities, although only five CIOs at the 27 major departments and agencies were responsible or shared responsibility for all 13 information and technology management areas. In fact, one of the panels of former agency IT executives suggested that not all 13 areas were equally important to CIOs. A few of the former agency IT executives even called some of the areas relating to information management distractions from the CIO's primary responsibilities. However, this is not consistent with the law, which envisioned that having a single official responsible for the various information and technology functions would provide integrated management. Specifically, one purpose of the PRA is to coordinate, integrate, and--to the extent practicable and appropriate--make federal information resources management policies and practices uniform as a means to improve the productivity, efficiency, and effectiveness of government programs by, for example, reducing information collection burdens on the public and improving service delivery to the public. Moreover, the House Committee Report accompanying this act in 1980 described that aligning IRM activities under a single authority should provide for greater coordination among an agency's information activities as well as greater visibility within the agency.[Footnote 18] Although many agencies did not have the CIO responsible for all IRM activities, a number of CIOs described alternative mechanisms that their agencies used to coordinate or integrate at least some of the activities. Examples of such integrating mechanisms included IRM plans, enterprise architecture processes, and IT capital planning processes. We agree that such mechanisms can provide elements of integration, but we have repeatedly reported that agencies have not effectively implemented such activities.[Footnote 19] For example, in January 2004, we reported that agencies IRM plans often did not address information functions such as information collection, records management, and privacy or their coordinated management.[Footnote 20] Accordingly, we recommended that OMB develop and disseminate to agencies additional guidance on developing their strategic IRM plans. In addition to specifying areas of responsibility for the CIOs of major departments and agencies, the Clinger-Cohen Act calls for certain CIOs to have IRM as their primary duty.[Footnote 21] All but a few of the agencies complied with this requirement. The other significant duties reported by some CIOs generally related to other administrative or management areas, such as procurement and human capital. We[Footnote 22] and Members of Congress[Footnote 23] have previously expressed concern about agency CIOs having responsibilities beyond information and technology management and have questioned whether split duties allow a CIO to deal effectively with an agency's IT challenges. For example, we previously recommended that one agency, which had a CIO who was also the chief financial officer, appoint a CIO with full-time responsibilities for IRM.[Footnote 24] This agency later implemented our recommendation, thereby taking a significant step toward addressing critical and long-standing information and technology management weaknesses. CIOs Generally Reported to Agency Head: Federal law--and our guide on CIOs of leading private sector organizations--generally calls for CIOs to report to their agency heads,[Footnote 25] forging relationships that ensure high visibility and support for far-reaching information management initiatives. Nineteen of the CIOs in our review stated that they had this type of reporting relationship. In the other eight agencies, the CIOs stated that they reported instead to another senior official, for example, a deputy secretary, under secretary, or assistant secretary. Current CIOs and former agency IT executives had mixed views about whether it is important for the CIO to report to the agency head. For example, of the eight CIOs who did not report directly to their agency heads, (1) three indicated that it was important or critical, (2) two stated that it was not important, (3) two noted that it was generally important but that the current reporting structure at their agencies worked well, and (4) one stated that it was very important that a CIO report to at least a deputy secretary. In contrast, 15 of the CIOs who reported to their agency heads stated that this reporting relationship was important. (One agency CIO stated that reporting to the CIO was not important, one CIO did not clearly address the question, and this issue was not discussed with two CIOs.) For example, one of them stated that a direct reporting relationship to the agency head was crucial because top management support is essential for CIOs to carry out their responsibilities; another CIO pointed out that it is difficult to influence IT budget and policy decisions without reporting to the agency head. Eight of the 19 CIOs who said that they had a direct reporting relationship with the agency head noted that they also report to another senior executive, usually the Deputy Secretary or Undersecretary for Management, on an operational basis. Finally, members of our Executive Council on Information Management and Technology, which is composed of noted IT experts, told us that what is most critical is for the CIO to report to a top level official. The members of our panels of former agency IT executives also had various views on whether it was important that the CIO report to the agency head. For example, one former IT executive stated that such a reporting relationship was extremely important, another emphasized that organizational placement was not important if the CIO had credibility, and others suggested that the CIO could be effective while reporting to a chief operating officer. We have explored the application of the chief operating officer concept to the federal government environment in a roundtable and forum that included participants with current or recent executive or management experience.[Footnote 26] While participants expressed a range of views on the chief operating officer concept and its application to the federal government, there was general agreement that there is a need to elevate attention and integrate various key management and transformation efforts, as well as to institutionalize accountability for addressing them. As the Congress holds hearings on and introduces legislation related to information and technology management, there may be an opportunity to consider the results of this review and whether the existing statutory framework related to CIO responsibilities and reporting to the agency head is the most effective structure. Our work developing a set of best practices for CIO roles and responsibilities, based on leading organizations in the private sector, may shed additional light on this issue. CIOs Have Diverse Backgrounds and Generally Remained in Office about 2 Years: At the major departments and agencies included in our review, the current CIOs had diverse backgrounds, and since the enactment of the Clinger-Cohen Act, the median tenure of permanent CIOs whose time in office had been completed was about 2 years.[Footnote 27] Both of these factors can significantly influence whether a CIO is likely to be successful. First, the background of the current CIOs varied in that they had previously worked in the government, the private sector, and academia, and they had a mix of technical and management experience. Because a CIO should be selected based on the specific needs of the agency and the type of role that he or she is expected to play, it was not unexpected to see such diverse backgrounds. Second, the median time in position for agencies' permanent CIOs was 23 months in office. When asked how long a CIO needed to stay in office to be effective, the most common response of current CIOs and former agency IT executives was 3 to 5 years. This gap is consistent with the views of many agency CIOs, who believed that the turnover rate was high and that the political environment, the pay differentials between the public and private sectors, and the challenges that CIOs face contributed to this rate. Various mechanisms, such as human capital flexibilities, are available for agencies to use to help reduce CIO turnover or mitigate its affect. Current CIOs Have Varied Work and Educational Backgrounds: Although the qualifications of a CIO can help determine whether he or she is likely to be successful, there is no general agreement on the optimal background that a prospective agency CIO should have. The conference report accompanying the Clinger-Cohen Act, which established the agency CIO position, requires them to possess knowledge of--and practical experience in--the information and IT management practices of business or government.[Footnote 28] While people like current CIOs and former agency IT executives also echoed the need for the CIO to have IT experience, other types of background, such as business knowledge, and an understanding of how IT can be used to transform agencies and improve mission performance were also seen as critical. The personal attributes of a CIO, such as leadership, communication, and political skills can also be key factors in the selection and success of a CIO. For example, members of our Executive Council on Information Management and Technology, which is composed of noted IT experts, told us that a CIO needs personal attributes like leadership ability to succeed in aligning the business and IT sides of the organization. In particular, he or she must be able to work as a partner with other business or program executives and build credibility with them, in order to be accepted as a full participant in the development of new systems and processes and to achieve successful outcomes with IT investments. According to our CIO guide, the degree of importance that senior executives place on the various attributes that are considered in selecting a CIO depends on the information leadership model and the needs of the enterprise.[Footnote 29] This lack of a standard set of qualifications for CIOs is reflected in the varied work and educational backgrounds of current agency CIOs. For example, 24 of the CIOs had previously worked for the federal government, 16 had worked in private industry, 8 had worked in state and local government, 2 had been in academia. Seventeen CIOs had worked in some combination of two or more of these sectors. Further, virtually all of them had work experience and/or educational backgrounds in IT or IT-related fields. For example, 12 current agency CIOs had previously served in a CIO or deputy CIO capacity. Those who did not have an IT or IT-related professional or educational background had significant non- IRM responsibilities, and their backgrounds were more specific to their other roles (e.g., human capital management). Moreover, most of the CIOs had business knowledge related to their agencies because they had previously worked at the agency or had worked in an area related to the agency's mission. As the diversity of the current CIOs demonstrates, there is no single template for a CIO's background; this illustrates that an agency head should select someone based on the specific needs of the agency and the type of role that he or she is expected to play. Median Tenure of Agency CIOs Was about 2 Years: Another element that influences the likely success of an agency CIO is the length of time the individual has to implement change. For example, our prior work has noted that the experiences of successful major change management initiatives in large private and public sector organizations suggest that it can often take at least 5 to 7 years until such initiatives are fully implemented and the related cultures are transformed in a sustainable manner.[Footnote 30] The need for major changes in federal information and technology management is demonstrated by our high-risk and performance and accountability series reports, which show that there are long-term information and technology management problems and challenges facing federal agencies that will take years of sustained attention and continuity to resolve.[Footnote 31] When asked how long a CIO needed to stay in office to be effective, current CIOs and former agency IT executives most commonly responded 3 to 5 years. In particular, some cited the budget cycle as a reason why a CIO needed to be in place for a while in order to allow sufficient time for the CIO's vision and priorities to be reflected in the agency's budget requests and subsequent appropriations. Nevertheless, since February 10, 1996 (the date the Clinger-Cohen Act was enacted), the median tenure of agencies' permanent CIOs who had completed their time in office was about 23 months (see app. IV for a chart that illustrates the tenure of each permanent and acting CIO and a table that presents further statistical analysis of the tenure data).[Footnote 32] Moreover, between February 10, 1996, and March 1, 2004, only about 35 percent of the permanent CIOs who had completed their time in office reportedly stayed in office for a minimum of 3 years. This is consistent with the views of many agency CIOs, who believed that the turnover rate was high. A high turnover rate is a problem, according to some current CIOs, because it can negatively impact their effectiveness. For example, CIOs may not have time to put their agenda in place or form close working relationships with agency leadership. Echoing this view, one former agency IT executive stated that with too much turnover nothing really substantial is accomplished by a CIO. Among the reasons cited for a high turnover rate were the challenges that CIOs face, the political environment, and the pay differentials between the public and private sectors. For example, among the challenges cited by current CIOs were being perceived as an adversary by others in the agency, the complexity of the issues, and the high- stress nature and long hours typical of the position. Another factor affecting the turnover rate is the number of CIOs who were political appointees; they stayed about 13 months less than those in career civil service positions. Specifically, the median time in position for career CIOs who had completed their time in office was about 32 months, while the median for political appointees was about 19 months. Nevertheless, there was a lack of consensus among the current CIOs and former agency IT executives about whether CIOs should be political appointees or not. For example, some believed that political CIOs could be more effective because they might have more access to, and influence with, the agency head. Others believed that CIOs in career positions could be more effective because, for example, they would be more likely to understand the agency, including its culture and work environment. A number of mechanisms could be used to ensure continuity in the face of frequent CIO changes in agencies. For example, we have previously reported that results-oriented performance agreements can help to maintain a consistent focus on a set of broad programmatic priorities during changes in leadership.[Footnote 33] This can help to reduce significant discontinuities in objectives as new CIOs step in. One mechanism that came to our attention through our interviews is the establishment of a deputy CIO position. A deputy CIO can help to ensure continued attention to ongoing objectives when there is a hiatus between one CIO and the next. A deputy CIO can also increase the effectiveness of the CIO organization by providing skills and work experiences that are complementary to those of the CIO. Moreover, the appointment of deputy CIOs was anticipated by the Congress when the Clinger-Cohen Act was passed. The conference report accompanying the act states "the conferees also intend that deputy chief information officers be appointed by agency heads that have additional experience [in specific technical areas]."[Footnote 34] At the time of our review, 24 departments and agencies had deputy CIO positions, of which 22 were filled. The establishment of this position at almost all of the agencies is important because successful information and technology management rests on the skills and performance of the entire CIO organization within the department and agency--not just the CIO as an individual. In addition to taking action to help ensure continuity, agencies may also be able to use human capital flexibilities--which represent the policies and practices that an agency has the authority to implement in managing its workforce--to help retain its CIOs. For example, our model on strategic human capital management notes that recruiting bonuses, retention allowances, and skill-based pay can attract and retain critical skills needed for mission accomplishment.[Footnote 35] Similarly, two members of our panels of former agency IT executives stated that the government should examine its rewards systems and learn from the private sector's incentive programs. Other panelists asserted that additional money is not key to attracting and retaining CIOs; instead they cited the importance of nonmonetary incentives, such as offering an attractive package of authorities and responsibilities. We have previously identified six key practices for the effective use of human capital flexibilities, including planning strategically and making targeted investments and educating managers and employees on the availability and use of flexibilities.[Footnote 36] In addition, we have reported that although the Office of Personnel Management has taken several actions to assist agencies in the identification and use of human capital flexibilities, additional actions by this agency could further facilitate the use of flexibilities.[Footnote 37] Major Challenges Facing Agency CIOs: Current CIOs reported that they faced major challenges in fulfilling their duties (see fig. 2). In particular, two challenges were cited by over 80 percent of the CIOs: implementing effective IT management and obtaining sufficient and relevant resources. This indicates that CIOs view IT governance processes, funding, and human capital as critical to their success. Other common challenges cited were communicating and collaborating internally and externally and managing change. Effectively tackling these reported challenges can also improve the likelihood of CIOs' success. To aid them in addressing the multitude of challenges that they face, we have issued guidance that address several of the problems they cited. Figure 2: Major Challenges Facing Agency CIOs: [See PDF for image] [End of figure] Implementing Effective IT Management: Leading organizations execute their IT management responsibilities reliably and efficiently. A little over 80 percent of the CIOs reported that they faced one or more challenges related to implementing effective IT management practices at their agencies. This is not surprising given that, as we have previously reported, the government has not always successfully carried out its responsibilities in the IT management areas that were most frequently cited as challenges by the CIOs; information security, enterprise architecture, investment management, and e-gov.[Footnote 38] * Fifteen agency CIOs cited managing and improving information security as a challenge. For example, one agency CIO cited a challenge of increasing the security maturity of his agency while dealing with increased security risks and threats; another discussed institutionalizing information security policies in the management, planning, and operation of over 200 systems. We have previously issued guidance addressing security best practices to help agencies with their information security challenges.[Footnote 39] * Fifteen CIOs discussed challenges associated with IT investment management, including strengthening an agency's process to help ensure that investments are in line with its mission, business needs, and enterprise architecture and implementing appropriate IT performance measures. For example, one CIO reported a challenge in developing a capital planning process that will ensure that the agency's IT investments are selected, resourced, and acquired to optimize mission accomplishment. This individual further elaborated that the agency's capital planning process was unwieldy and, therefore, not a good fit in an IT environment that requires agility to deal with a rapid rate of change. Another CIO reported problems with performance measurement-- such as a lack of baseline data--and planned to introduce a balanced scorecard approach and a portfolio management tool to address this challenge. We have previously issued guidance related to IT investment management including, most recently, a new version of our framework, which offers organizations a road map for improving their IT investment management processes in a systematic and organized manner.[Footnote 40] * Eleven agency CIOs emphasized the building and enforcement of an enterprise architecture as challenging. For example, one CIO noted that keeping the agency's enterprise architecture up-to-date was a challenge in light of evolving federal enterprise architecture guidelines. In April 2003, we issued a framework that provides agencies with a common benchmarking tool for planning and measuring their efforts to improve their enterprise architecture management.[Footnote 41] * Seven CIOs mentioned that they faced challenges related to implementing e-government; two of them citing addressing the e- government element of the President's Management Agenda as a challenge. Other challenges associated with e-government included (1) meeting the requirements of the E-Government Act of 2002 (P.L. 107-347), (2) needing more comprehensive modernization and/or migration plans that incorporate governmentwide solutions, and (3) balancing and integrating rapidly evolving e-government initiatives with the need to provide responsive ongoing operational support. In addition to managing IT, agency CIOs also reported challenges associated with specific technological solutions. In particular, eight CIOs reported dealing with integration and consolidation issues as a challenge. Other specific technological challenges included ensuring adequate bandwidth and network connectivity. Obtaining Sufficient and Relevant Resources: One key element in ensuring an agency's information and technology success is having adequate resources available. Virtually all agency CIOs cited resources, both in dollars and staff, as major challenges. The funding issues cited generally concerned the development and implementation of agency IT budgets and whether certain IT projects, programs, or operations were being adequately funded. We have previously reported that the way agency initiatives are originated can create funding challenges that are not found in the private sector.[Footnote 42] For example, certain information systems may be mandated or legislated, so the agency does not have the flexibility to decide whether or not to pursue them. Additionally, there is a great deal of uncertainty over the funding levels that may be available from year to year. The multitude of players in the budget process can also lead to unexpected changes in funding. The CIOs cited similar challenges. They observed some specific budgetary or funding challenges such as (1) technology moving faster than the budget process, (2) systems requirements not always accompanied by funding, (3) ensuring adequate and stable funding to support Office of CIO operations, and (4) difficulty prioritizing IT initiatives within the budget to ensure that the agency meets Presidential and Secretarial priorities and mission. The government also faces long-standing and widely recognized challenges in maintaining a high-quality IT workforce. In 1994 and again in 2001, we reported the importance that leading organizations placed on making sure they had the right skill mix in their IT workforce.[Footnote 43] About 70 percent of the agency CIOs reported on a number of substantial IT human capital challenges, including, in some cases, the need for additional staff. Examples of specific comments follow. * Recruiting. Seven CIOs named recruiting as a challenge. For example, one CIO stated that the hiring process takes too long and that good candidates are no longer available by the time the hiring process is completed. Another CIO noted that turnover in technical positions is high and that that government cannot fill openings as fast as they occur. * Training and development. Seven CIOs listed training and development as a challenge. One CIO noted that training funds were inadequate. In addition, several CIOs pointed to project management as a particular area in need of enhancement. * Retention. Four CIOs listed retention of high quality skilled staff as a challenge. One CIO commented that, as staff become more skilled and obtain certifications, they become more difficult to retain and that more flexibility in retaining staff was needed. * Succession planning. Three CIOs cited succession planning as a challenge; succession planning can help an organization identify, develop, and select human capital to ensure that successors are the right people, with the right skills, available at the right time for leadership and other key positions. We have previously reported that many of these same issues exist for the government as a whole, not just for information and technology management. As a result, in January 2001 and again in January 2003, we designated strategic human capital management as a governmentwide high- risk area.[Footnote 44] Moreover, in June 2004, we reported that within the government and the private sector it has been widely recognized that the federal government's hiring process is lengthy and cumbersome and hampers agencies' ability to hire high-quality people.[Footnote 45] We have issued several reports that discuss these issues in more depth and provide possible solutions and recommendations.[Footnote 46] Communicating and Collaborating Internally and Externally: Our prior work has shown the importance of communication and collaboration, both within an agency and with its external partners. For example, one of the critical success factors we identified in our CIO guide focuses on the CIO's ability to establish his or her organization as a central player in the enterprise.[Footnote 47] Specifically, effective CIOs--and their supporting organizations--seek to bridge the gap between technology and business by networking informally, forming alliances, and building friendships that help ensure support for information and technology management. In addition, earlier this year we reported that to be a high-performing organization, a federal agency must effectively manage and influence relationships with organizations outside of its direct control.[Footnote 48] Ten agency CIOs reported that communication and collaboration were challenges. For example, one CIO stated that it is a challenge for him to deal with the sheer diversity and volume of interactions within and outside the agency and with the need to align these organizations' agendas with his agency's objectives. Examples of internal communication and collaboration challenges included (1) cultivating, nurturing, and maintaining partnerships and alliances while producing results in the best interest of the enterprise and (2) establishing supporting governance structures that ensure two-way communication with the agency head and effective communication with the business part of the organization and component entities. Other CIOs cited activities associated with communicating and collaborating with outside entities challenging, including sharing information with partners and influencing the Congress and OMB. Although communication and collaboration can be problematic, our work on the Year 2000 computing challenge demonstrated their value.[Footnote 49] Both effective communication and partnering were cited by agencies and others as lessons learned that contributed to the government's success in this critical effort. Specifically, for the Year 2000 effort, government actions went beyond the boundaries of individual programs or agencies and involved governmentwide oversight; interagency cooperation; and cooperation among federal, state, and local governments; private sector entities; and foreign countries. Managing Change: Top leadership involvement and clear lines of accountability for making management improvements are critical to overcoming an organization's natural resistance to change, marshalling the resources needed to improve management, and building and maintaining organizationwide commitment to new ways of doing business. Some CIOs reported challenges associated with implementing changes--those originating both from outside forces and at their own initiative. For example, one CIO found it a challenge to maintain compliance with changing regulations and ever-increasing executive direction and data calls. Another CIO cited dealing with resistance to the use of a rigorous IT methodology as a challenge. Implementing major IT changes can involve not only technical risks, but also nontechnical risks, such as those associated with people and the organization's culture. Six CIOs cited dealing with the government's culture and bureaucracy as challenges to implementing change. For example, one CIO reported that there was institutional resistance to departmentwide changes. Another noted that one of his challenges was breaking down long-standing stovepipes that make no sense in a global information environment. Former agency IT executives also cited the need for cultural changes as a major challenge facing CIOs. Accordingly, in order to effectively implement change, it is important that CIOs build understanding, commitment, and support among those who will be affected by the change. In 2002, we convened a forum to identify useful practices and lessons learned from major private and public sector organizational mergers, acquisitions, and transformations that agencies could implement to successfully transform their cultures.[Footnote 50] Examples of the nine key practices identified are (1) ensuring that top leadership drives the transformation, (2) setting implementation goals and a time line to build momentum and show progress, and (3) using the performance management system to define responsibility and ensuring accountability for change. Conclusions: Agency CIOs generally reported that they had most of the responsibilities and reporting relationships required by law or critical to effective information and technology management, but there were notable exceptions. In particular, contrary to requirements in the law, some agency CIOs reported that they were not responsible for certain areas, such as records management, and that they did not report to their agency heads. However, views were mixed as to whether CIOs could be effective leaders without having responsibility for each individual area. The success of the CIO position also hinges, at least in part, on whether the individuals placed in this role have the background and attributes necessary to assume an agency's IT leadership mantle and whether they spend sufficient time in office to implement changes. Current agency CIOs have had a wide variety of prior experiences; but they generally have work and/or educational backgrounds in IT or IT- related fields, as well as business knowledge related to their agencies. However, most CIOs did not stay in office for 3 to 5 years, which was the most common response when we asked current CIOs and former agency IT executives how long a CIO needed to be in office to be effective. Agencies' use of various mechanisms, such as human capital flexibilities, could help reduce the turnover rate or mitigate its effect. Reducing turnover among CIOs is important because the length of time CIOs are in office can affect their ability to successfully address the major challenges they face. Some of these challenges--such as how IT projects are originated--may not be wholly within their control. Other challenges--such as improved IT management--are more likely to be overcome if a CIO has sufficient time to more effectively address these issues. Matter for Congressional Consideration: As it holds hearings on and introduces legislation related to information and technology management, we suggest that the Congress consider the results of this review and whether the existing statutory requirements related to CIO responsibilities and reporting to the agency heads reflect the most effective assignment of information and technology management responsibilities and reporting relationships. Agency Comments and Our Evaluation: We received written or oral responses on a draft of this report from OMB and from all 27 of the agencies that were included in our review.[Footnote 51] In particular, OMB and three agencies made specific comments on the report. These comments and our analysis are summarized below: * Oral comments were provided by representatives of OMB's Office of Information and Regulatory Affairs, Office of Electronic Government and Information Technology, and Office of General Counsel. Representatives of these offices noted that, although this report focused on the extent to which CIOs reported that the areas of responsibility assigned to them are consistent with 13 areas that GAO identified as critical to effective information and technology management, they were unclear on the correlation between or conclusions drawn about who in the agency is responsible and whether the agency achieves intended outcomes or results. The objective of this review was to determine which responsibilities were assigned to current agency CIOs. We did not attempt to draw conclusions regarding the relationship between the assignment of specific responsibilities and an agency's success in achieving desired outcomes in those areas. The OMB representatives also noted that only 10 of the 13 areas surveyed by GAO are mandated by statute, and they questioned the need to include 3 nonstatutorily- mandated areas of CIO responsibility in this report. We continue to believe that the 3 additional responsibilities included in this report- -systems acquisition, development, and integration; major e-government initiatives; and enterprise architecture--can contribute significantly to the successful implementation of information systems and processes. Furthermore, these responsibilities are assigned to agencies by statute (though not to the CIO explicitly), the President's Management Agenda, and OMB's own guidance. The importance of these three areas to CIOs was borne out by the fact that over 90 percent of the CIOs have been assigned responsibility for them. Finally, the representatives had no opinion about whether these areas or the agency official designated to be responsible for them are "critical" to effective information and technology management, and they drew no conclusions about the adequacy or effectiveness of the current statutory framework of CIO responsibilities. * The Department of Defense's Deputy Assistant Secretary of Defense (Deputy CIO) agreed with the findings of the report but did not concur with our suggestion that the Congress consider the results of our review when it holds hearings on and introduces legislation related to information and technology management. In particular, Defense recommended that either we make no suggestion to the Congress or that we suggest that the Congress consider ways to strengthen the CIOs' authority and to focus on specific responsibilities for congressional review. We agree that strengthening the authority of CIOs can be crucial to their success and to the effectiveness of information and technology management in their agencies. Nevertheless, with respect to reporting to the agency head, the participants in our review offered a number of alternative arrangements. These alternatives included reporting to a deputy secretary or to a chief operating officer or equally high-level official, or maintaining a dual reporting relationship that includes the agency head. Such reporting relationships may provide the authority and accountability necessary for CIOs to be effective in their organizations. Accordingly, we continue to believe that such alternatives deserve consideration if the Congress holds hearings or introduces legislation related to CIOs' reporting relationships. With respect to being more specific in our suggestions for changes to CIO responsibilities, we do not want to suggest that the Congress constrain the scope of its deliberations should it choose to take another look at the responsibilities of the CIO. The Department of Defense also provided a technical comment that we addressed, as appropriate. Defense's written comments--along with our responses--are reproduced in appendix VI. * The Department of the Interior's Assistant Secretary for Policy, Management and Budget provided comments suggesting that the Congress consider the impact of continuing changes on the ability of agencies to effect those changes. While we recognize that agencies require time to implement major changes, we also note that most of the statutory requirements considered in our report have been law since 1996. The Assistant Secretary also recommended that the CIO continue to be required to report to the agency head, which is the reporting relationship at Interior. Interior's CIO reporting relationship is consistent with the law and potentially provides strong support for the CIO in executing his or her responsibilities. However, as we previously noted, the participants in our review offered a number of alternative reporting arrangements that could provide the CIO with the necessary support. We believe that these alternatives deserve consideration. Interior's written comments, along with our responses, are reproduced in appendix VII. * The director of the Office of Personnel Management provided written comments in which she included several examples of actions the agency has taken to encourage the use of human capital management flexibilities to recruit and retain a high quality workforce. It was outside the scope of this report to review the Office of Personnel Management's actions to encourage the use of human capital flexibilities. The Office of Personnel Management's written comments, and our response, are reproduced in appendix VIII. With respect to the other agencies in our review, most generally agreed with our findings or declined to comment specifically. The agencies' responses are as follows: * The Department of Agriculture's CIO thanked GAO for the opportunity to review the report but provided no further comments. The department's written comments are reproduced in appendix V. * The Department of Commerce's GAO Liaison e-mailed a response in which she thanked GAO for the opportunity to review the report but provided no further comments. * A management and program analyst from the Office of the Secretary at the Department of Education e-mailed a response in which the department provided no comments. * A program analyst from the Office of the CIO at the Department of Energy e-mailed a response in which the department provided no comments. * The Environmental Protection Agency's GAO Liaison Officer e-mailed a response in which the agency offered no comments. * A management analyst at the General Services Administration e-mailed a response in which the agency provided no comments. * The Department of Health and Human Services' E-Gov Program Coordinator and CIO provided an e-mail response in which the department provided no comments. * The Department of Homeland Security's GAO Liaison provided an e-mail response in which the department offered no comments. * The director of Department of Housing and Urban Development's Office of Management and Planning, Office of Administration, e-mailed a response in which the department offered no comments. * The Department of Justice's Justice Management Division Audit Liaison at the Department of Justice provided an e-mail response in which she thanked GAO for the opportunity to review the report but provided no further comments. * A senior accountant in the Office of the Chief Financial Officer at the Department of Labor e-mailed a response in which the department generally agreed with GAO's findings and conclusions. In particular, they concurred on the challenges a CIO faces and on other general conclusions. * The National Aeronautics and Space Administration's GAO/OIG Audit Liaison Team Leader e-mailed a response in which the agency offered no comments. * The CIO at the National Science Foundation provided e-mail comments in which he described the report as very informative and well organized and presented. He commented that it is certain to be of use as the foundation considers the role of the CIO in the future. He did not have any further comments or suggestions. * The Special Assistant to the CIO at the Nuclear Regulatory Commission provided an e-mail response in which he thanked GAO for the opportunity to review the report but provided no further comments. * The Assistant Administrator for Congressional and Legislative Affairs at the Small Business Administration provided an e-mail response in which he thanked GAO for the opportunity to review the report but provided no further comments. * The audit liaison at the Social Security Administration provided an e-mail response in which he thanked GAO for the opportunity to review the report but provided no further comments. * A program analyst at the Department of State provided e-mail comments in which she thanked GAO for the opportunity to comment on the report and described it as a useful tool for supporting the advancement of information technology throughout the federal government. She also provided technical comments that we incorporated, as appropriate. * The Department of Transportation's Director of Audit Relations e- mailed that the department had no comments. * The Department of the Treasury's CIO provided written comments in which he agreed with the report's identification of the major challenges a CIO faces. Treasury's written comments are reproduced in appendix IX. * The U.S. Agency for International Development's Assistant Administrator, Bureau for Management, provided written comments in which he concurred with the content of the report. The U.S. Agency for International Development's written comments are reproduced in appendix X. * The Department of Veterans Affairs' Acting Director of the Congressional Reports and Correspondence Service in the Office of Congressional and Legislative Affairs provided an e-mail response in which he agreed with the information presented in our report. We are sending copies of this report to the secretaries of the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; the administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the commissioners of the Nuclear Regulatory Commission and the Social Security Administration; and the directors of the National Science Foundation, Office of Management and Budget, and Office of Personnel Management. We will also make copies available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions on matters discussed in this report, please contact me at (202) 512-9286 or Lester Diamond, Assistant Director, at (202) 512-7957. We can also be reached by e-mail at [Hyperlink, pownerd@gao.gov] and [Hyperlink, diamondl@gao.gov], respectively. Other key contributors to this report are listed in appendix XI. Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Appendixes: Appendix I: Chief Information Officers (CIO) Interviewed: Department/agency: Department of Agriculture; Chief information officer[A]: Lawrence Scott Charbo. Department/agency: Department of Commerce; Chief information officer[A]: Tom Pyke. Department/agency: Department of Defense; Chief information officer[A]: John P. Stenbit. Department/agency: Department of the Air Force; Chief information officer[A]: John M. Gilligan. Department/agency: Department of the Army; Chief information officer[A]: Lieutenant General Steven W. Boutelle. Department/agency: Department of the Navy; Chief information officer[A]: David Martin Wennergren. Department/agency: Department of Education; Chief information officer[A]: William J. Leidinger. Department/agency: Department of Energy; Chief information officer[A]: Rosita Ortiz Parkes. Department/agency: Department of Health and Human Services; Chief information officer[A]: Kathleen D. Heuer. Department/agency: Department of Homeland Security; Chief information officer[A]: Steve Cooper. Department/agency: Department of Housing and Urban Development; Chief information officer[A]: Vickers B. Meadows. Department/agency: Department of the Interior; Chief information officer[A]: W. Hord Tipton. Department/agency: Department of Justice; Chief information officer[A]: Vance Hitch. Department/agency: Department of Labor; Chief information officer[A]: Patrick Pizzella. Department/agency: Department of State; Chief information officer[A]: Bruce Morrison. Department/agency: Department of Transportation; Chief information officer[A]: Daniel P. Matthews. Department/agency: Department of the Treasury; Chief information officer[A]: Drew Ladner. Department/agency: Department of Veterans Affairs; Chief information officer[A]: Edward Francis Meagher. Department/agency: Environmental Protection Agency; Chief information officer[A]: Kimberly T. Nelson. Department/agency: General Services Administration; Chief information officer[A]: Michael W. Carleton. Department/agency: National Aeronautics and Space Administration; Chief information officer[A]: Patricia Lee Dunnington. Department/agency: National Science Foundation; Chief information officer[A]: Dr. George O. Strawn. Department/agency: Nuclear Regulatory Commission; Chief information officer[A]: Ellis W. Merschoff. Department/agency: Office of Personnel Management; Chief information officer[A]: Janet L. Barnes. Department/agency: Small Business Administration; Chief information officer[A]: Stephen D. Galvan. Department/agency: Social Security Administration; Chief information officer[A]: Thomas P. Hughes. Department/agency: U.S. Agency for International Development; Chief information officer[A]: John Marshall. Source: GAO. [A] These CIOs were in their positions during the time of our review, but some are no longer the CIOs at their agencies. [End of table] [End of section] Appendix II: Former Agency Senior Information Technology (IT) Executive Panels: In March 2004, we held two panels of former agency senior IT executives, during which we discussed CIOs' roles and responsibilities, reporting relationships, and challenges. Table 1 provides the former and current titles of these officials. Table 1: Former Agency Senior IT Executive Panels: Name: First panel, held March 2, 2004. Name: Mayi Canales; Former agency/positions: Department of the Treasury/Acting Deputy Assistant Secretary (Information Systems) and CIO; Current organization/position: M Squared Strategies, Inc./Chief Executive Officer. Name: Dr. Renato A. DiPentima; Former agency/positions: Social Security Administration/Deputy Commissioner for Systems; Current organization/position: SRA International, Inc./President and Chief Operating Officer. Name: James J. Flyzik; Former agency/positions: Department of the Treasury/Deputy Assistant Secretary for Information Systems and CIO; Current organization/position: Guerra, Kiviat, Flyzik, and Associates, Inc./Partner. Name: Norman E. Lorentz; Former agency/positions: U.S. Postal Service/Chief Technology Officer; Office of Management and Budget/Chief Technology Officer; Current organization/ position: DigitalNet./Senior Vice President, Intergovernmental Solutions. Name: William C. Piatt; Former agency/positions: General Services Administration/CIO; U.S. Peace Corps/ CIO; Current organization/position: Unisys Corporation/Partner, U.S. Federal Government Group. Name: Daniel E. Porter; Former agency/positions: Department of the Navy/CIO; Current organization/ position: CACI International Inc./ Senior Vice President, Navy Account, Defense & Intelligence Business Group. Name: Second panel, held March 4, 2004. Name: Roger W. Baker; Former agency/positions: Department of Commerce/CIO; Current organization/position: General Dynamics Network Systems/Vice President, Federal Civilian Operations. Name: Paul Brubaker; Former agency/positions: Department of Defense/Deputy Assistant Secretary and Deputy CIO; Current organization/position: SI International/Executive Vice President and Chief Marketing Officer. Name: Spain (Woody) Hall, Jr; Former agency/positions: Department of Homeland Security/Assistant Commissioner and CIO of Customs and Border Protection; U.S. Customs Service/Assistant Commissioner and CIO; and Department of Energy/ Deputy Assistant Secretary and CIO; Current organization/position: Science Applications International Corporation/ Enterprise and Infrastructure Solutions Group/Corporate Vice President for Project Management. Name: George R. Molaski; Former agency/positions: Department of Transportation/CIO; Current organization/ position: e-Associates, LLC/President and Chief Executive Officer. Name: Alvin M. Pesachowitz; Former agency/positions: Environmental Protection Agency/Associate Assistant Administrator, Office of Environmental Information and CIO; Current organization/position: Grant Thornton LLP/Global Government Group/Director of IT Consulting. Name: Debra Stouffer; Former agency/positions: Department of Housing and Urban Development/ Deputy CIO for IT Reform; Environmental Protection Agency/Chief Technology Officer; Current organization/position: DigitalNet./Vice President, Strategic Consulting Services. Source: GAO. [End of table] [End of section] Appendix III: Summary of CIOs' Information Management and Technology Responsibilities at Major Departments and Agencies: Capital Planning and Investment Management--Federal laws and guidance direct agencies to develop and implement processes for IT capital planning and investment management. 44 U.S.C. 3506(h) and 40 U.S.C. 11312 & 11313. Results; Yes: 27; No: 0. Summary: * Although all the CIOs had primary responsibility for this area, several said that other organizational units supported the execution of this responsibility, often through diverse membership on an IT investment board, which virtually all agencies had in place. At a majority of agencies, the CIO chaired this IT investment board. Other mechanisms CIOs used to ensure that their responsibilities were being executed included making sure appropriate policies and guidance were in place, conducting periodic investment reviews, and building strong relationships with other officials; * Working within the constraints of the federal budget cycle, including responding to evolving budget exhibit requirements, was perceived as a challenge by almost half of the CIOs, as was working with the business side of the agency. Capturing sufficient attention from top management to build an effective process was mentioned as a challenge by several CIOs. Another challenge was how to exert influence over IT investments within agency components. Prioritizing investments and cutting projects due to budget constraints was also mentioned by several CIOs. Enterprise Architecture (EA)--Federal laws and guidance direct agencies to develop and maintain enterprise architectures as blueprints to guide IT modernization. Results; Yes: 27; No: 0. Summary: * The CIOs used a variety of mechanisms to address their EA responsibilities, such as participating on investment review boards to ensure compliance with EA requirements and chairing or participating in committees that review and approve EA development activities. Several CIOs also said that they promote EA awareness and ensure that the EA include key business processes and requirements. Finally, some CIOs commented that understanding of and support for the agency EA are improving; * CIOs said they faced challenges with the activities related to the development and implementation of the EA. These challenges included documenting the "as is" architecture, including interdependencies and interoperability, compliance with the agency EA and the federal enterprise architecture, and implementation and transition issues. Of the CIOs who reported challenges pertaining to EA activities, among other things, they identified obtaining staff buy-in and building relationships with business components and field offices as another key challenges; * Of the CIOs who responded to a question about changes they would recommend, 13 commented that no changes were needed to their role, and some CIOs described EA legislation and guidance as being adequate. However, seven identified the need for changes in other areas, including increased support from management and staff, discipline, oversight, and improvements in managers' and staff's knowledge and skills. Two reported that CIOs needed to play a greater role in EA activities. Information Security--The agency CIO is responsible for protecting information and systems. 44 U.S.C. 3506(g) and 3544(a)(3). Results; Yes: 27; No: 0. Summary: * CIOs described several mechanisms for ensuring that their information security responsibilities were being carried out, including periodic meetings to review agency security performance, Federal Information Security Management Act reporting, vulnerability and intrusion detection testing, and risk mitigation strategies. All of the agencies had senior information security positions to take direct responsibility for this area. Many CIOs mentioned that they followed Federal Information Security Management Act guidance and were satisfied with it; * Challenges in this area included institutionalizing strong security practices throughout the agency and reducing the number of networks and systems to be secured. In addition, five CIOs mentioned that it was difficult to find qualified staff for the security function; * Many CIOs expressed concern with the criteria used to score information security performance at their agencies. Seven CIOs mentioned the need for greater clarity in the definition of information security success or progress, and five CIOs suggested that it would be helpful if the various oversight bodies could develop a consistent set of criteria. Finally, two CIOs suggested that quicker turnaround between measuring and reporting performance would present a more accurate picture of the actual security condition. IT/IRM Strategic Planning--The agency CIO is responsible for strategic planning for all information and technology management functions--thus, the term information resources management (IRM) strategic planning. 44 U.S.C. 3506(b)(2). Results; Yes: 27; No: 0. Summary: * In describing how they ensure that this responsibility is being carried out, many said they made sure that appropriate policies, procedures, or processes were in place. Seven CIOs mentioned using the investment management process to ensure that strategic priorities were enforced; * Nearly half of the CIOs mentioned that coordination across various stakeholders was a challenge in this area. Several CIOs also cited measuring performance as a challenge; * Several CIOs suggested any changes in this area, although three mentioned that additional guidance would be beneficial. IT/IRM Workforce Planning--CIOs have responsibilities for helping the agency meet its IT/IRM workforce or human capital needs [44 U.S.C. 3506(b) and 40 U.S.C. 11315(c)]. Results; Yes: 27; No: 0. Summary: * Responsibility for this area is often shared. Most CIOs worked with other organizational units to identify agency workforce needs and define gaps in available staff. The process of addressing these gaps - through hiring, training, or contracting - was carried out by most CIOs in collaboration with the human resources or procurement units of the agency; * Most CIOs identified personnel management as a key challenge in this area, including the ability to attract staff with specific skills required, ensure personnel retention, and keep adequate numbers of personnel in the IT leadership pipeline. Additionally, several CIOs described hiring processes as cumbersome and a factor that tends to hinder workforce planning activities. Major electronic government (e-gov) initiatives--Various laws and guidance have directed agencies to undertake a variety of e-gov initiatives relating to using IT to improve government services to the public, as well as operations within the government. Results; Yes: 25; No: 2. Summary: * At agencies where CIOs have been given responsibility for major e-gov initiatives, CIOs have adopted a number of mechanisms to ensure that their responsibilities were being carried out adequately. Several agencies have established an e-gov program management office and/or have assigned project managers. Several CIOs reported that they use a scorecard, or other grading system, to identify strengths and weaknesses in their e-gov initiatives. Even when the CIOs have been assigned primary responsibility, they sometimes share responsibility with the functional unit; * A few agencies have assigned responsibility for major e-gov initiatives to a senior-level political appointee to raise the visibility of the initiatives; * Challenges in this area included managing projects of the scale of the major e-gov initiatives. Systems Acquisition, Development, and Integration--GAO found that a critical element of successful IT management is effective control of systems acquisition, development, and integration. Results; Yes: 25; No: 2. Summary: * Several CIOs who had responsibility for this area shared that responsibility with other officials, including the senior acquisition official and system owners. Most CIOs reported that they utilized various control processes, such as system review boards and investment management boards, to provide oversight of systems acquisition and development activities. The enterprise architecture was also mentioned as a mechanism to guide these activities and ensure interoperability of systems; * The two CIOs who did not have responsibility for this area reported that they contributed to the successful execution of responsibilities by ensuring that systems comply with the EA or other standards. Where the CIO did not have primary responsibility, the senior acquisition or procurement official usually had that responsibility; * Several CIOs mentioned that coordinating activities related to systems acquisition was a challenge. Monitoring activities to ensure adherence to standards was also mentioned as a challenge. A few CIOs also reported that attracting and retaining individuals with expertise in acquisition and development was difficult. Information Collection/Paperwork Reduction--The agency CIO is responsible for overseeing a process to review agency information collection proposals in order to maximize the utility and minimize the public "paperwork" burdens associated with the agency's collection of information. 44 U.S.C. 3506(c). Results; Yes: 22; No: 5. Summary: * Most CIOs said that they focused on statutory and Office of Management and Budget (OMB) requirements in meeting their responsibilities in this area, and several CIOs noted that they developed reports for OMB in this area. Several CIOs specifically mentioned the use of internal systems and databases to produce automated reports. A few CIOs mentioned using agency Web sites as a mechanism to support information collection and paperwork reduction, for example, by allowing for public comment on collections. Several CIOs described this function as largely administrative and not a priority; * In most agencies where the CIO did not have this responsibility, administrative units carried out these activities; * A general lack of understanding of the area and its terminology was mentioned as a challenge by a few CIOs. CIOs at a few agencies also mentioned that coordinating and implementing their responsibilities was difficult when they dealt with large and complex collections. Records Management--The agency CIO is responsible for ensuring that the agency implements and enforces records management policies and procedures. 44 U.S.C. 3506(f). Results; Yes: 21; No: 6. Summary: * Most CIOs with responsibility for records management felt that they were the most appropriate official to have that responsibility. Several also stated that their involvement in the area has been made more important since agencies began maintaining records electronically. Most of the CIOs stated that they have developed policies and procedures to make sure records management activities are carried out appropriately, and a few mentioned they also use OMB and NARA reporting to oversee activities in the area; * In agencies where the CIO was not responsible for records management, various other officials held responsibility, including senior administrative officials and General Counsel; * A few CIOs mentioned that NARA guidance was continuing to evolve, particularly in the area of electronic records. A few CIOs also described the need for agencies to become more aware of the value of records management and begin to use it to manage the agency's records as an asset. Information Dissemination--The agency CIO is responsible for ensuring that the agency's information dissemination activities meet policy goals, such as timely and equitable public access to information. 44 U.S.C. 3506(d). Results; Yes: 20; No: 7. Summary: * Several CIOs reported that they participate in internal review activities to determine compliance with requirements. Five CIOs develop policies, procedures, and guidance for information dissemination activities. Several CIOs also reported that they shared information dissemination responsibilities with other agency staff to fulfill the department's information dissemination responsibilities; * In those agencies in which the CIO was not responsible for this area, responsibility was most often held by the Office of Public Affairs; * One CIO said that transitioning from traditional information dissemination methods to digital information delivery was presenting challenges, including developing appropriate access controls and updating policies. A few CIOs also identified challenges in balancing security and/or privacy with access to information. Another challenge was ensuring consistency in information dissemination activities across the agency. Privacy--The agency CIO is responsible for compliance with the Privacy Act and related laws. 44 U.S.C. 3506(g). Results; Yes: 17; No: 10. Summary: * Of the CIOs holding this responsibility, their responsibilities included activities to ensure compliance with privacy laws, such as developing privacy policies, conducting privacy impact assessments, and monitoring their agency's Web sites. Two CIOs said that they have centralized persons or units reporting directly to them that perform all information privacy responsibilities. In order to increase staff awareness of privacy requirements, a few CIOs conducted training programs to address privacy issues; * In the agencies in which the CIO did not have responsibility for privacy, the responsibility was most often held by the Office of General Counsel and various FOIA and Privacy Offices. Only one CIO expressed some concern with this assignment of responsibility; * A few CIOs reported challenges in distinguishing privacy concerns from security concerns and in balancing privacy with requests for information. This ambiguity sometimes made it difficult to understand if information should be released, or not. Information Disclosure/Freedom of Information Act (FOIA)--The agency CIO is responsible for information access requirements, such as those of the FOIA and related laws. 44 U.S.C. 3506(g). Results; Yes: 9; No: 18. Summary: * Most CIOs with this responsibility reported that it was executed in concert with other units. Departmental and component-level FOIA offices were most often cited as partners in this area; * Where the CIO did not have responsibility for this area, responsibility was assigned to units such as department-and component- level FOIA offices, offices of public affairs, and offices of general counsel; * Several CIOs reported that the interplay among FOIA, privacy, records management, and security sometimes created challenges, such as whether to release specific information and under what conditions. Other CIOs stated that it is difficult to anticipate the volume and nature of requests and to plan accordingly. Coordination of activities with and ensuring adherence to standards by component-level organizations was also cited as a challenge by a few CIOs. Statistical Policy and Coordination--The agency CIO is responsible for the agency's statistical policy and coordination functions. 44 U.S.C. 3506(e). Results; Yes: 8; No: 19. Summary: * CIOs used various mechanisms to ensure that their responsibilities were being carried out, including guidance, tools, assessments and performance reviews, and information quality reports to OMB. Only 3 agencies with 1 of the 15 Principal Statistical Agencies[A] had assigned responsibility to the CIO; * Over half of the CIOs who did not have responsibility for this area reported that this function was appropriately assigned to other units. No CIOs expressed concern that they should have responsibility if they did not. Nine of the agencies where the CIO did not have responsibility for this function were home to 1 of the 15 Principal Statistical Agencies. Source: GAO. [End of table] [A] Principal Statistical Agencies include the Bureau of Economic Analysis (Department of Commerce), Bureau of Justice Statistics (Department of Justice), Bureau of Labor Statistics (Department of Labor), Bureau of Transportation Statistics (Department of Transportation), Economic Research Service (Department of Agriculture), Energy Information Administration (Department of Energy), Environmental Protection Agency, Internal Revenue Service's Statistics of Income Division (Department of the Treasury), National Agricultural Statistics Service (Department of Agriculture), National Center for Education Statistics (Department of Education), National Center for Health Statistics (Department of Health and Human Services), Science Resources Statistics (National Science Foundation), Office of Policy (Social Security Administration), Office of Management and Budget (Executive Office of the President), and the U.S. Census Bureau (Department of Commerce). [End of section] Appendix IV: CIO Tenure at Each Department and Agency: Agencies provided us with the start and end dates of the tenure of each of their CIOs since the passage of the Clinger-Cohen Act in February 1996. These data are represented in figure 1. Figure 3: Time Line of CIO Tenure at Each Department and Agency: [See PDF for image] [End of figure] [A] The number of bar elements for an agency may not add up to the total in this column because some individual CIOs are shown more than once, as their circumstances changed (e.g., an acting CIO that became a permanent CIO). [B] The Department of Defense named this individual as a Senior Civilian Official during this time; he had been nominated to the CIO position but not yet confirmed by the Senate. However, because the department stated that he was serving in the role of the CIO, we classified him as an Acting CIO until he was confirmed. [C] The first CIO for the National Aeronautics and Space Administration was in this position prior to the enactment of the Clinger-Cohen Act and left in February 1996, the same month that the second CIO was named. [D] The current Department of State CIO was made permanent on February 25, 2004. Table 1 contains statistical analysis of the data presented in figure 1. Computations have been provided both including and excluding the current CIOs. In cases where the current CIOs are included, the end of their tenure was established as of March 1, 2004, the ending date of data collection for this report. Table 2: Statistical Analysis of CIO Tenure: Mean (in months); Permanent and acting CIOs including current CIOs: 21; Permanent and acting CIOs excluding current CIOs: 21; Permanent CIOs including current CIOs: 27; Permanent CIOs excluding current CIOs: 30; Acting CIOs including current CIOs: 9; Acting CIOs excluding current CIOs: 9; Only current permanent CIOs: 21. Median (in months); Permanent and acting CIOs including current CIOs: 15; Permanent and acting CIOs excluding current CIOs: 15; Permanent CIOs including current CIOs: 23; Permanent CIOs excluding current CIOs: 23; Acting CIOs including current CIOs: 7; Acting CIOs excluding current CIOs: 7; Only current permanent CIOs: 16. Minimum (in months); Permanent and acting CIOs including current CIOs: 1[A]; Permanent and acting CIOs excluding current CIOs: 1[A]; Permanent CIOs including current CIOs: 1[A]; Permanent CIOs excluding current CIOs: 3[A]; Acting CIOs including current CIOs: 1; Acting CIOs excluding current CIOs: 1; Only current permanent CIOs: 1. Maximum (in months); Permanent and acting CIOs including current CIOs: 94; Permanent and acting CIOs excluding current CIOs: 75; Permanent CIOs including current CIOs: 94; Permanent CIOs excluding current CIOs: 75; Acting CIOs including current CIOs: 26; Acting CIOs excluding current CIOs: 26; Only current permanent CIOs: 94. Number of CIOs in this population; Permanent and acting CIOs including current CIOs: 108; Permanent and acting CIOs excluding current CIOs: 81; Permanent CIOs including current CIOs: 74; Permanent CIOs excluding current CIOs: 49; Acting CIOs including current CIOs: 34; Acting CIOs excluding current CIOs: 32; Only current permanent CIOs: 25. Number of CIOs in office less than 3 years; Permanent and acting CIOs including current CIOs: 89; Permanent and acting CIOs excluding current CIOs: 64; Permanent CIOs including current CIOs: 55; Permanent CIOs excluding current CIOs: 32; Acting CIOs including current CIOs: 34; Acting CIOs excluding current CIOs: 32; Only current permanent CIOs: 23. Number of CIOs in office greater than 5 years; Permanent and acting CIOs including current CIOs: 4; Permanent and acting CIOs excluding current CIOs: 3; Permanent CIOs including current CIOs: 4; Permanent CIOs excluding current CIOs: 3; Acting CIOs including current CIOs: 0; Acting CIOs excluding current CIOs: 0; Only current permanent CIOs: 1. Number of CIOs in office between 3 and 5 years; Permanent and acting CIOs including current CIOs: 15; Permanent and acting CIOs excluding current CIOs: 14; Permanent CIOs including current CIOs: 15; Permanent CIOs excluding current CIOs: 14; Acting CIOs including current CIOs: 0; Acting CIOs excluding current CIOs: 0; Only current permanent CIOs: 1. Percentage of CIOs in office at least 3 years; Permanent and acting CIOs including current CIOs: 18%; Permanent and acting CIOs excluding current CIOs: 21%; Permanent CIOs including current CIOs: 26%; Permanent CIOs excluding current CIOs: 35%; Acting CIOs including current CIOs: 0%; Acting CIOs excluding current CIOs: 0%; Only current permanent CIOs: 8%. Source: GAO. Note: CIOs who moved from acting to permanent status have been treated as if they were permanent the entire time, and calculations were performed on their aggregated time as one length of service. Also, these acting CIOs who became permanent were not included in the acting calculations above. [A] The first CIO for the National Aeronautics and Space Administration was in the CIO position prior to the enactment of the Clinger-Cohen Act and left in February 1996, the same month that the second CIO was named. The numbers listed for minimum tenure are the next shortest tenure. [End of table] [End of section] Appendix V: Comments from the Department of Agriculture: USDA: June 29, 2004: David A. Powner, Director: Information Technology Management Issues: U.S. General Accounting Office: 441 G. Street, N.W.: Washington, D.C. 20548: Dear Mr. Powner: The U.S Department of Agriculture has reviewed draft report number GAO- 04-823 entitled "Federal Chief Information Officers: Responsibilities, Reporting Relationships, Tenure, and Challenges." We thank you for the opportunity to review the report. Based on our review, we have no comments. If additional information is needed, please have a member of your staff contact Sherry Linkins, Office of the Chief Information Officer audit liaison, on (202) 720-9293. Sincerely, Signed by: Scott Charbo: Chief Information Officer: [End of section] Appendix VI: Comments from the Department of Defense (including the Departments of the Air Force, Army, and Navy): DEPARTMENT OF DEFENSE: 6000 DEFENSE PENTAGON: WASHINGTON, DC 20301-6000: CHIEF INFORMATION OFFICER: July 1, 2004: FAX TRANSMITTAL: Mr. David Powner: Director: Information Technology Management Issues: U.S. General Accounting Office: Washington, DC 20548: Dear Mr. Powner. The Department of Defense (DOD) appreciates the opportunity to respond to the GAO draft report on "FEDERAL CHIEF INFORMATION OFFICERS: Responsibilities, Reporting Relationships, Tenure, and Challenges," dated July 2004 (GAO Code 310455/GAO-04-823). The Department agrees with the findings in the report. However, we non- concur with GAO's recommendation/suggestion that Congress consider the legislative requirements related to the Chief Information Officer (CIO) responsibilities and the requirement for CIOs to report directly to the agency head. The Department's comments and supporting rationale are enclosed. My point of contact for this matter is Ms. Joyce France. You may contact her at (703) 604-1489 ext. 114 or by email joyce.france@osd.mil. Sincerely, Signed by: Priscilla E. Cruthrie: Deputy Assistant Secretary of Defense (Deputy CIO): Enclosure As Stated: Department of Defense Comments/Rationale: (1) GAO Recommendation/Suggestion: Review Statutory Requirements of CIOs Reporting to the Agency Head: FIndings/Justification: The GAO report reviewed whether CIOs were reporting to the agency head as required. by law. Twenty-one of the 27 (77%) agencies stated that reporting to the agency head was important or critical. In contrast, only two CIOs (who do not currently report directly to the agency head) stated that it was not important. Accordingly, these numbers indicate that most CIOs think it is important or critical that the CIO report to the agency head or at least, the deputy. Moreover, members of GAO's Executive Council and members of GAO's panels of former agency information technology executives expressed views that support this finding. However, the report discounts the views expressed by the two thirds of the current CIOs who replied that the reporting relationship to the agency head was important. The above statistics should be reflected in GAO's conclusion, which alters the recommendation contained in the report. Recommendation: In light of this finding, no recommendation should be made at all; or a recommendation that Congressional consideration should be given as to how to strengthen the CIO's reporting relationship and authority given today's environment where information and information technology are paramount in carrying out an Agency's mission. (2) GAO Recommendation/Suggestion: Review Statutory Requirements Related to CIO Responsibilities: Findings/Justification: During the study, GAO reviewed 13 statutory responsibilities and interviewed 27 Agency CIOs. The discussion on pages 11-16 found that all 27 CIOs had responsibility for IT capital planning, architecture, security, strategic planning and IT workforce. Twenty-five CIOs had some responsibility (albeit shared) for e-Gov initiatives, system acquisition, development and integration. In contrast, only approximately one-third had responsibility for information disclosure/freedom of information act (FOIA) and statistical policy. Recommendation: Consistent with the GAO findings, we propose if there is to be a GAO recommendation/suggestion in this area, it be expanded to focus on specific CIO responsibilities that Congress should review in light of the findings above, i.e., few COs had information disclosure/FOIA and statistical policy responsibilities. The recommendation should be more focused vice an open-ended recommendation. Technical Comment: Appendix IV, Figure 1: Dr. Wells is neither a career civil servant nor a political appointee. He is a "Schedule C" employee. The following are GAO's comments on the Department of Defense's letter dated July 1, 2004. GAO Comments: 1. We agree with the Department of Defense that strengthening the authority of CIOs in many of the areas for which they have responsibility can be crucial to their success and to the effectiveness of information and technology management in their agencies. However, we do not agree that there was an overall consensus that CIOs should report to their agency heads. The participants in our review offered a number of alternative reporting arrangements, including reporting to a deputy secretary or to a chief operating officer or equally high-level official, or maintaining a dual reporting relationship that includes the agency head. While such reporting relationships are not necessarily directly to the agency head, they may provide the authority and accountability necessary for CIOs to be effective in their organizations. We believe these alternatives deserve consideration if the Congress holds hearings or introduces legislation related to CIOs' reporting relationships. 2. We disagree that our Matter for Congressional Consideration should be more specific. While the two responsibilities mentioned by the Department of Defense clearly differ from the others in the number of CIOs reporting that they hold responsibility, the Congress has established a coordinated approach to managing federal agencies' information resources. As the Congress considers future statutory frameworks, this same coordinated approach may well be critical in its deliberations. Given the broad range of the Congress's purview, we do not want to suggest that the Congress constrain the scope of its deliberations should it choose to take another look at the responsibilities of the CIO. 3. We believe that we accurately characterized Dr. Wells's status. The Office of Personnel Management has used the term "political appointees" in various documents to describe Schedule C appointees. [End of section] Appendix VII: Comments from the Department of the Interior: United States Department of the Interior: OFFICE OF THE ASSISTANT SECRETARY: POLICY, MANAGEMENT AND BUDGET: Washington, DC 20240: JUL 06 2004: David A. Powner: Director: Information Technology Management Issues: U. S. General Accounting Office: 441 G Street, NW, Room 2T23: Washington, DC 20548: Dear Mr. Powner: Thank you for the opportunity to review and provide comments on the General Accounting Office (GAO) draft report entitled, "Federal Chief Information Officers: Responsibilities, Reporting Relationships, Tenure, and Challenges" (GAO-04-823). While the report makes no direct recommendation to change laws governing infornation technology (IT), it appears to imply the need for changes. The report correctly notes the time required to implement new changes, and that all agencies have not yet fully implemented the current requirements. This would strongly argue the need for stability in the laws rather than changes. In considering changes to the laws governing IT, please consider the impact of continuing changes to the ability of agencies to affect those changes. In one particular area, the Department of the Interior (DOI) recommends the requirements remain constant: the Chief Information Officer reports directly to the Secretary. This level of attention to IT needs is critical to being able to accomplish all the other requirements. The Secretary's personal involvement in IT at DOI, along with the personal involvement of her management team, are key factors in the evolutionary improvements we have made. For additional information, please contact W. Hord Tipton at (202) 208 6194. Sincerely: Signed by: P. Lynn Scarlett: Assistant Secretary: Policy Management and Budget: The following are GAO's comments on the Department of the Interior's letter dated July 6, 2004. GAO Comments: 1. While we recognize that agencies require time to implement major changes, most of the statutory requirements considered in our report have been law since 1996. Since the findings of our report indicate that opinions are mixed on whether the current statutory framework is the most appropriate, we continue to believe that if the Congress holds hearings or introduces legislation related to the CIOs' reporting relationships, the findings of this report should be considered. 2. We believe it is critical for CIOs to have the authority and accountability that they need in order to be effective in their organizations. The Department of the Interior's approach, with the CIO reporting to the Secretary, is consistent with the law and potentially provides strong support for the CIO in executing his responsibilities. However, the participants in our review offered a number of alternative reporting arrangements that could provide the CIO with the necessary support; these included reporting to a deputy secretary, to a chief operating officer, or equally high level official, or maintaining a dual reporting relationship that includes the agency head. We believe these alternatives deserve consideration if the Congress holds hearings or introduces legislation related to the CIOs' reporting relationships. [End of section] Appendix VIII: Comments from the Office of Personnel Management: UNITED STATES OFFICE OF PERSONNEL MANAGEMENT: WASHINGTON, DC 20415-1000: OFFICE OF THE DIRECTOR: David Powner: Director, Information Technology Management Issues: General Accounting Office: Washington, DC: July 6, 2004: [See PDF for page 1 of letter] Furthermore, in just the last few months, OPM has: * On June 29, 2004, hosted a training symposium for 230 agency Chief Human Capital Officers (CHCO) and human resources professionals from 30 Federal agencies on hiring flexibilities currently available to improve the federal hiring process. The all-day symposium featured sessions on various hiring flexibilities. including sessions on veterans hiring and student and excepted service employment authorities. as well as a review of re-engineering efforts by the Air Force to improve hiring processes and reduce the lapse rate in filling jobs. * At our June 17, 2004, CHCO Academy meeting offered a review of hiring authorities and flexibilities applicable to veterans. students and recent college graduates. The meeting included a detailed discussion of the appointing authorities agency managers and HR officials have at their disposal to hire qualified veterans, including those with service-connected disabilities, reviewed the Veterans' Recruitment Appointment (VRA), Veterans Employment Opportunities Act (VEOA) Appointment, and the hiring authority for veterans with a 30 percent or more service-connected disability rating. The meeting also focused on Direct-Hire Authority and Category Rating, human resources tools OPM has made available to agencies to expedite the hiring of highly qualified individuals. The meeting also sparked dialogue about the government's Presidential Management Fellows (PMF) Program, which attracts people with post-graduate degrees in public administration and a variety of other disciplines, and prepares them for ascension into top leadership posts. The new Senior Presidential Management Fellows Program, a component of the PMF Program, is designed to attract mid- level, private-sector employees for appointment to the upper professional ranks. * On June 15, 2004, hosted a Best Practices Showcase featuring NASA's strategic human capital initiatives for over 200 agency senior human capital leaders, senior executives and managers, and human resource professionals. The objective of the showcase was to highlight proven practices that other Federal agencies can adopt to improve human capital systems. The showcase included presentations by several of NASA's senior management, and breakout sessions on performance culture, leadership and knowledge management, and talent - the key drivers in transforming Federal agencies into results-oriented employers that attract, retain and reward a highly performing workforce. During a panel discussion, NASA fielded questions on how they obtained the NASA Workforce Flexibilities Act of 2004, how they plan to use the various employment flexibilities provided by OPM and this legislation, and their expected results in revitalizing their workforce. * Recently hosted a briefing on the results of our Federal hiring survey to inform interest groups about progress being made in the on- going effort to streamline the Federal Government's hiring process. Attending the briefing were representatives from the Partnership for Public Service, National Academy of Public Administration. National Hispanic Association of Federal Executives and the Society for Human Resource Management. During the briefing, OPM Senior Policy Advisor to the Director, Dr. Doris L. Hausser highlighted the critical role that the managers who are selecting among applicants, as well as human resources professionals, play within federal agencies. The briefing included discussion on existing hiring flexibilities, expediting the hiring process, and using the available appointing authorities, including those for veterans and students. At the conclusion of the meeting, pertinent materials on the results of the survey and other aspects of the federal hiring process were distributed. * On May 26, 2004, hosted a special Veteran Employment Symposium at the Ronald Reagan Building and International Trade Center for agency human capital leaders, human resources specialists. and program managers on veterans' preference and recruitment. The all-day event focused on advancing existing policies and strategies to recruit veterans into the Federal work force, and to reiterate that veterans preference is the law and not a courtesy. * On May 25, 2004, convened a meeting of the Chief Human Capital Officers Council and the leaders of America's Veterans Service Organizations at Walter Reed Army Medical Center. Attendees were reminded that there are no longer any excuses for not using the many hiring authorities available to Federal agencies to bring veterans into the Federal service. OPM is very aware that recruitment and retention is a critical human capital issue for the Federal Government, whether it be Chief Information Officers, IT specialists or any other occupation important to mission accomplishment, and we continue to take steps to assist agencies in ensuring they have a workforce capable of meeting their strategic goals. At the same time, Federal agencies must, and are, increasing acknowledging their role in utilizing available flexibilities to recruit and retain a quality workforce. In summary, this report refers to previous GAO report recommendations from 2002 and 2003 citing the need for additional actions to further facilitate the use of human resources management flexibilities. Numerous actions have, in fact, been taken. Sincerely, Signed by: Kay Coles James: Director: [End of section] Appendix IX: Comments from the Department of the Treasury: DEPARTMENT OF THE TREASURY: WASHINGTON, D.C. 20220: JUL 2 2004: Mr. Lester Diamond: Assistant Director: Information Technology Management Issues: General Accounting Office: 441 G Street, NW Room 5T37: Washington, DC 20548: Re: Comments on Draft Report--"Federal ChiefInformation Officers: Responsibilities Reporting Relationships, Tenure, and Challenges" (Report #GAO-040-823): Dear Mr. Diamond: I would like to thank the Government Accounting Office for allowing Treasury to participate in the development of this report including commenting on the initial draft. The overall draft report correctly identifies the major challenges facing agency CIO's such as implementing effective IT management, obtaining sufficient and relevant resources, communicating and collaborating internally and externally, and managing change. I am confident GAO's final report will provide valuable information on the importance of the CIO and their role as information technology leaders. Furthermore, the final report is critical to underscore the challenges we face, particularly in transitioning to on-line business and environments through E-government initiatives. I look forward to reviewing the final report when issued. If you have any questions, please feel free to contact me at 202-622-1200 or via email at ira.hobbs@do.treas.gov. Sincerely, Signed by: Ira L. Hobbs: Chief Information Officer: [End of section] Appendix X: Comments from the U.S. Agency for International Development: USAID: U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT: June 25, 2004: David Powner: Director: Information Technology Management Issues: U.S. General Accounting Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Mr. Powner: I am pleased to provide the U.S. Agency for International Development's (USAID's) formal response on the draft GAO report entitled "Federal Chief Information Officers: Responsibilities, Reporting, Relationships, Tenure, and Challenges" (June 2004). We concur in the content of the report and have no comments. Thank you for the opportunity to respond to the GAO draft report and for the courtesies extended by your staff in the conduct of this review. Sincerely, Signed by: John Marshall: Assistant Administrator: Bureau for Management: [End of section] Appendix XI: GAO Contact and Staff Acknowledgments: GAO Contact: Lester Diamond, 202-512-7957 or [Hyperlink, diamondl@gao.gov] Staff Acknowledgments: Neha Bhavsar, Margaret W. Davis, Neil J. Doherty, Joanne Fiorino, Evan B. Gilman, Peggy A. Hegg, Ashfaq M. Huda, Robert G. Kershaw, Linda J. Lambert, Mary Beth McClanahan, David F. Plocher, and Cynthia J. Scott made key contributions to this report. (310455): FOOTNOTES [1] U.S. General Accounting Office, Improving Government: Actions Needed to Sustain and Enhance Management Reforms, GAO/T-OCG-94-1 (Washington, D.C.: Jan. 27, 1994), Government Reform: Using Reengineering and Technology to Improve Government Performance, GAO/T- OCG-95-2 (Washington, D.C.: Feb. 2, 1995), and Government Reform: Legislation Would Strengthen Federal Management of Information and Technology, GAO/T-AIMD-95-205 (Washington, D.C.: July 25, 1995). [2] U.S. General Accounting Office, High-Risk Series: An Update, GAO- 03-119 (Washington, D.C.: January 2003) and Major Management Challenges and Program Risks: A Governmentwide Perspective, GAO-03-95 (Washington, D.C.: January 2003). [3] U.S. General Accounting Office, Maximizing the Success of Chief Information Officers: Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001). [4] These areas are further defined in the Scope and Methodology section of this report. [5] This section of the U.S. Code requires 24 departments and agencies to establish chief financial officers. We did not include the Federal Emergency Management Agency in our review, even though it is 1 of the 24 departments and agencies, because this agency has been transferred to the Department of Homeland Security. [6] The 27 agencies covered by this report are the Departments of Agriculture, the Air Force, the Army, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, the Navy, State, Transportation, the Treasury, and Veterans Affairs; and the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. [7] The Clinger-Cohen Act requirement that agency CIOs have IRM as their primary duty applies to the major departments and agencies listed in 31 U.S.C. 901(b), which does not include the Department of Homeland Security, or the military departments of the Air Force, the Army, and the Navy. [8] The Homeland Security Act of 2002 states that the CIO for the Department of Homeland Security shall report to the Secretary of Homeland Security or to another official as directed by the Secretary. As allowed by the law, the Secretary has directed the CIO to report to the Under Secretary of Management. [9] GAO-03-119 and GAO-03-95. [10] IRM is the process of managing information resources to accomplish agency missions and to improve agency performance. [11] P.L. 96-511, December 11, 1980. [12] P.L. 104-106, February 10, 1996. The law, initially entitled the Information Technology Management Reform Act (ITMRA), was subsequently renamed the Clinger-Cohen Act in P.L. 104-208, September 30, 1996. [13] The E-Government Act of 2002 reiterated agency responsibility for information resources management. P.L. 107-347, December 17, 2002. [14] Three areas of responsibility--enterprise architecture, systems acquisition, development and integration, and e-government initiatives--are not assigned to CIOs by statute; they are assigned to the agency heads by law or guidance. However, in virtually all agencies, the agency heads have delegated these areas of responsibility to their CIOs. [15] The 23 major departments and agencies identified in 31 U.S.C. 901, the Department of Homeland Security, and the 3 military services (see footnote 6 for a list of agencies). [16] Out of a total of 69 possible responses (instances of CIOs without responsibility for one or more of the 13 information and technology management areas), CIOs expressed an opinion on whether they had any concerns with their agency's assignment in 42 instances. [17] Principal Statistical Agencies include the Bureau of Economic Analysis (Department of Commerce), Bureau of Justice Statistics (Department of Justice), Bureau of Labor Statistics (Department of Labor), Bureau of Transportation Statistics (Department of Transportation), Economic Research Service (Department of Agriculture), Energy Information Administration (Department of Energy), Environmental Protection Agency, Internal Revenue Service's Statistics of Income Division (Department of the Treasury), National Agricultural Statistics Service (Department of Agriculture), National Center for Education Statistics (Department of Education), National Center for Health Statistics (Department of Health and Human Services), Science Resources Statistics (National Science Foundation), Office of Policy (Social Security Administration), Office of Management and Budget (Executive Office of the President), and the U.S. Census Bureau (Department of Commerce). [18] U.S. House of Representatives, Paperwork Reduction Act of 1980, House Report 96-835, (Washington, D.C.: Mar. 19, 1980). [19] See, for example, U.S. General Accounting Office, Information Technology Management: Governmentwide Strategic Planning, Performance Measurement, and Investment Management Can Be Further Improved, GAO-04- 49 (Washington, D.C.: Jan. 12, 2004) and Information Technology: Leadership Remains Key to Agencies Making Progress on Enterprise Architecture Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003). [20] GAO-04-49. [21] The Clinger-Cohen Act requirement that agency CIOs have IRM as their primary duty applies to the major departments and agencies listed in 31 U.S.C. 901(b), which does not include the Department of Homeland Security, or the military departments of the Air Force, the Army, and the Navy. [22] U.S. General Accounting Office, Chief Information Officers: Ensuring Strong Leadership and an Effective Council, GAO/T-AIMD-98-22 (Washington, D.C.: Oct. 27, 1997). [23] U.S. Senate Committee on Governmental Affairs, Paperwork Reduction Act of 1995, Senate Report 104-8 (Washington, D.C.: Jan. 30, 1995). [24] U.S. General Accounting Office, VA Information Technology: Improvements Needed to Implement Legislative Reforms, GAO/AIMD-98-154 (Washington, D.C.: July 7, 1998). [25] The Homeland Security Act of 2002 states that the CIO for the Department of Homeland Security shall report to the Secretary of Homeland Security or to another official as directed by the Secretary. As allowed by the law, the Secretary has directed the CIO to report to the Under Secretary for Management. [26] U.S. General Accounting Office, Highlights of a GAO Roundtable: The Chief Operating Officer Concept: A Potential Strategy to Address Federal Governance Challenges, GAO-03-192SP (Washington, D.C.: Oct. 4, 2002) and Comptroller General's Forum: High-Performing Organizations: Metrics, Means, and Mechanisms for Achieving High Performance in the 21ST Century Public Management Environment, GAO-04-343SP (Washington, D.C.: Feb. 13, 2004). [27] We did not include acting CIOs in this calculation, unless the acting CIO later was put in the permanent position. Further analysis of tenure data is provided in appendix IV. [28] House of Representatives, National Defense Authorization Act for Fiscal Year 1996, Conference Report to Accompany S.1124, House Report 104-450 (Washington, D.C.: Jan. 22, 1996). [29] GAO-01-376G. [30] U.S. General Accounting Office, Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, GAO-03-669 (Washington, D.C.: July 2, 2003). [31] For the most recent reports, see GAO-03-119 and GAO-03-95. [32] We did not include acting CIOs in this calculation--unless the acting CIO was later put in the permanent position--but about three- quarters of the agencies had acting CIOs at some time since the inception of the Clinger-Cohen Act. The median tenure of acting CIOs who had completed their time in office was about 7 months. [33] U.S. General Accounting Office, Managing For Results: Emerging Benefits From Selected Agencies' Use of Performance Agreements, GAO-01- 115 (Washington, D.C.: Oct. 30, 2000). [34] House Report 104-450. [35] U.S. General Accounting Office, A Model of Strategic Human Capital Management, GAO-02-373SP, Exposure Draft (Washington, D.C.: Mar. 15, 2002). [36] U.S. General Accounting Office, Human Capital: Effective Use of Flexibilities Can Assist Agencies in Managing Their Workforces, GAO-03- 2 (Washington, D.C.: Dec. 6, 2002). [37] U.S. General Accounting Office, Human Capital: OPM Can Better Assist Agencies in Using Personnel Flexibilities, GAO-03-428 (Washington, D.C.: May 9, 2003). [38] See, for example, U.S. General Accounting Office, High-Risk Series: Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures; GAO-03-121 (Washington, D.C.: Jan. 1, 2003); GAO-04-49; GAO-04-40; and GAO-03-95. [39] U.S. General Accounting Office, Executive Guide: Information Security Management: Learning from Leading Organizations, GAO/AIMD-98- 68 (Washington, D.C.: May 1, 1998) and Information Security Risk Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 (Washington, D.C.: Nov. 1, 1999). [40] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, Version 1.1, GAO-04-394G (Washington, D.C.: Mar. 1, 2004). See also, U.S. General Accounting Office, Executive Guide: Measuring Performance and Demonstrating Results of Information Technology Investments, GAO/ AIMD-98-89 (Washington, D.C.: Mar. 1, 1998). [41] U.S. General Accounting Office, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 1, 2003). [42] U.S. General Accounting Office, Chief Information Officers: Implementing Effective CIO Organizations, GAO/T-AIMD-00-128 (Washington, D.C.: Mar. 24, 2000). [43] U.S. General Accounting Office, Executive Guide: Improving Mission Performance Through Strategic Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1, 1994) and GAO-01-376G. [44] U.S. General Accounting Office, High-Risk Series: An Update, GAO- 01-263 (Washington, D.C.: January 1, 2001) and High-Risk Series: Strategic Human Capital Management, GAO-03-120 (Washington, D.C.: January 2003). [45] U.S. General Accounting Office, Human Capital: Additional Collaboration Between OPM and Agencies Is Key to Improved Federal Hiring, GAO-04-797 (Washington, D.C.: June 7, 2004). [46] See U.S. General Accounting Office, Human Capital: A Guide for Assessing Strategic Training and Development Efforts in the Federal Government, GAO-04-546G (Washington, D.C.: Mar. 1, 2004); Human Capital: Selected Agencies' Experiences and Lessons Learned in Designing Training and Development Programs, GAO-04-291 (Washington, D.C.: Jan. 30, 2004); Human Capital: Key Principles for Effective Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003); Human Capital: Insights for U.S. Agencies from Other Countries Succession Planning and Management Initiatives, GAO-03-914 (Washington, D.C.: Sept. 15 , 2003); Human Capital: Opportunities to Improve Executive Agencies' Hiring Processes, GAO-03-450 (Washington, D.C.: May 30, 2003); Human Capital: OPM Can Better Assist Agencies in Using Personnel Flexibilities, GAO-03-428 (Washington, D.C.: May 9, 2003); and Information Technology Training: Practices of Leading Private-Sector Companies, GAO-03-390 (Washington, D.C.: Jan. 31, 2003). [47] GAO-01-376G. [48] GAO-04-343SP. [49] U.S. General Accounting Office, Year 2000 Computing Challenge: Lessons Learned Can Be Applied to Other Management Challenges, GAO/ AIMD-00-290 (Washington, D.C.: Sept. 12, 2000). [50] U.S. General Accounting Office, Highlights of a GAO Forum: Mergers and Transformation: Lessons Learned for a Department of Homeland Security and Other Federal Agencies, GAO-03-293SP (Washington, D. C.: Nov. 14, 2002), Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformation, GAO-03-669 (Washington, D.C.: July 2, 2003). [51] DOD submitted a single letter that included comments from the Departments of the Air Force, Army, and Navy. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: